Security Management
359
Managed Switches
Privileged Exec Command Mode Authorization
Authorization determines if a user is authorized to perform certain activities such entering
privileged EXEC commands.
When user command authentication succeeds, the user receives access to the user EXEC
mode. You can also provide a user direct access to the privileged EXEC mode by using the
EXEC authorization method.
If the EXEC authorization method uses a TACACS+ authorization server, a separate session
is established with the TACACS+ server to return the authorization attributes.
If the EXEC authorization method uses a RADIUS authorization server, service–type
attribute 6 or Cisco vendor-specific attribute (VSA) “shell:priv-lvl” is used. If the service-type
attribute value is returned as administrator or the Cisco VSA “shell:priv-lvl” is at least
FD_USER_MGR_ADMIN_ACCESS_LEVEL(15), the user receives access to the privileged
EXEC mode.
Because the RADIUS protocol does not support authorization, the privilege level attribute
must be returned with the authentication response. If the service-type attribute is already
present in RADIUS response packet as administrator, the Cisco VSA “shell:priv-lvl” is
ignored.
CLI Example 1: Configure EXEC Authorization by a TACACS+
Server
The following example shows how to use the CLI to configure command authorization by a
TACACS+ server for a Telnet user and allow the user to access privileged EXEC mode
directly.
1. Change the authentication mode for Telnet users to TACACS.
(Netgear Switch)(Config)#aaa authentication login "networkList" tacacs
To Next Page
Loading...
